curl: 7.82.0 -> 7.83.0

[mweinelt]

https://curl.se/changes.html#7_83_0
https://curl.se/docs/CVE-2022-22576.html
https://curl.se/docs/CVE-2022-27774.html
https://curl.se/docs/CVE-2022-27775.html
https://curl.se/docs/CVE-2022-27776.html

Fixes: CVE-2022-22576, CVE-2022-27774, CVE-2022-27775, CVE-2022-27776

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.05 Release Notes (or backporting 21.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[mweinelt]

@ofborg eval

[mweinelt]

@lovek323 Please clarify if you're still interested in maintaining the curl package.

[lovek323]

@lovek323 Please clarify if you're still interested in maintaining the curl package.

@mweinelt Yes, I'm still happy to maintain it. I can test these changes on NixOS and macOS – I know I've been quite lax in doing my duties here, so I'm interested to know if there are any requirements/suggestions for actions maintainers need to take so I can start contributing more proactively.

[Izorkin]

Should now enable http 3 support by default?

[SuperSandro2000]

If it still requires the patched openssl I am not sure if we should.

[SuperSandro2000]

I'm interested to know if there are any requirements/suggestions for actions maintainers need to take so I can start contributing more proactively.

It would be nice if you could update curl when a new version is out and add patches when CVEs are known. Also there are other topics like http3 which need some attention. Also it would be nice if not literally everything would be rebuild when changing curl but I am not sure how realistic that is.

[Izorkin]

If it still requires the patched openssl I am not sure if we should.

Patch is based on this PR - openssl/openssl#8797
There will be no official support for a long time - https://daniel.haxx.se/blog/2021/10/25/the-quic-api-openssl-will-not-provide/

[SuperSandro2000]

I don't know. Is http3 support important at this time? I think it is pretty safe to assume that all websites support at least http1.1 or http2 in addition to http3 at this time. If someone else wants to make the call feel free but I don't want to block openssl security fixes by using a fork just for http3 support.

[Izorkin]

All security updates for OpenSSL can be applied to Quictls:
quictls = openssl 3.0 + quic patch

[mweinelt]

Did anyone test the two Darwin platforms? Or are we going to be in for a surprise when this hits staging-next?

[mweinelt]

Should now enable http 3 support by default?

I don't mix security updates with enabling features. Feel free to create another PR for that.

[SuperSandro2000]

Did anyone test the two Darwin platforms? Or are we going to be in for a surprise when this hits staging-next?

I didn't because I had no hope that ofborg could build the stdenv before timing out. (Yes darwin has curl in its stdenv....)

@NixOS/darwin-maintainers

[uri-canva]

Wouldn't we find out in staging-next? I'll test curl on 811647c, if it's broken I'll test it on cbdf1f4 to double check the break is not preexisting.

[lovek323]

@SuperSandro2000 @mweinelt

Did anyone test the two Darwin platforms? Or are we going to be in for a surprise when this hits staging-next?

I have tested both x86_64-darwin and aarch64-darwin – the build failed for me on aarch64-darwin.

[lovek323]

Looks like it failed on the build of libarchive, so I assume it's not related to the fix in this PR?

PASS: bsdcat_test
FAIL: bsdcpio_test
PASS: bsdtar_test                                                                                                                                                                                                                                                    [63/1988]
PASS: libarchive_test
========================================
   libarchive 3.6.1: ./test-suite.log
========================================

# TOTAL: 4
# PASS:  3
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

FAIL: bsdcpio_test
==================


If tests fail or crash, details will be in:
   /private/tmp/nix-build-libarchive-3.6.1.drv-0/bsdcpio_test.2022-04-29T03.48.54-000

Reference files will be read from: /private/tmp/nix-build-libarchive-3.6.1.drv-0/source/cpio/test
Running tests on: "/private/tmp/nix-build-libarchive-3.6.1.drv-0/source/bsdcpio"
Exercising: bsdcpio 3.6.1 - libarchive 3.6.1 zlib/1.2.12 liblzma/5.2.5 bz2lib/1.0.6 libzstd/1.5.2

  0: test_0                                                          ok
  1: test_basic                                                      ok
  2: test_cmdline                                                    ok
  3: test_extract_cpio_Z                                             ok
  4: test_extract_cpio_bz2                                           ok
  5: test_extract_cpio_grz                                           ok (S)
  6: test_extract_cpio_gz                                            ok
  7: test_extract_cpio_lrz                                           ok (S)
  8: test_extract_cpio_lz                                            ok
  9: test_extract_cpio_lz4                                           ok (S)
 10: test_extract_cpio_lzma                                          ok
 11: test_extract_cpio_lzo                                           ok (S)
 12: test_extract_cpio_xz                                            ok
 13: test_extract_cpio_zstd                                          ok
 14: test_format_newc                                                ok
 15: test_gcpio_compat                                               ok
 16: test_missing_file                                               ok
 17: test_option_0                                                   ok
 18: test_option_B_upper                                             ok
 19: test_option_C_upper                                             ok
 20: test_option_J_upper                                             ok
 21: test_option_L_upper                                             ok
 22: test_option_Z_upper                                             ok
 23: test_option_a                                                   ok
 24: test_option_b64encode                                           ok
 25: test_option_c                                                   ok
 26: test_option_d                                                   ok
 27: test_option_f                                                   ok
 28: test_option_grzip                                               ok (S)
 29: test_option_help                                                ok
 30: test_option_l                                                   ok
 31: test_option_lrzip                                               ok (S)
 32: test_option_lz4                                                 ok (S)
 33: test_option_lzma                                                ok
 34: test_option_lzop                                                ok (S)
 35: test_option_m                                                   ok
 36: test_option_passphrase                                          ok
 37: test_option_t                                                   FAIL
 38: test_option_u                                                   ok
 39: test_option_uuencode                                            ok
 40: test_option_version                                             ok
 41: test_option_xz                                                  ok
 42: test_option_y                                                   ok
 43: test_option_z                                                   ok
 44: test_option_zstd                                                ok
 45: test_owner_parse                                                ok
 46: test_passthrough_dotdot                                         ok
 47: test_passthrough_reverse                                        ok

Totals:
  Tests run:               48
  Tests failed:             1
  Assertions checked:   16365
  Assertions failed:        1
  Skips reported:           8

Failing tests:
  37: test_option_t (1 failures)

Details for failing tests: /private/tmp/nix-build-libarchive-3.6.1.drv-0/bsdcpio_test.2022-04-29T03.48.54-000

FAIL bsdcpio_test (exit status: 1)

============================================================================
Testsuite summary for libarchive 3.6.1
============================================================================
# TOTAL: 4
# PASS:  3
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0
============================================================================
See ./test-suite.log
Please report to libarchive-discuss@googlegroups.com
============================================================================
make[3]: *** [Makefile:14845: test-suite.log] Error 1
make[3]: Leaving directory '/private/tmp/nix-build-libarchive-3.6.1.drv-0/source'
make[2]: *** [Makefile:14953: check-TESTS] Error 2
make[2]: Leaving directory '/private/tmp/nix-build-libarchive-3.6.1.drv-0/source'
make[1]: *** [Makefile:15187: check-am] Error 2
make[1]: Leaving directory '/private/tmp/nix-build-libarchive-3.6.1.drv-0/source'
make: *** [Makefile:15189: check] Error 2
error: builder for '/nix/store/2mxm9z0y9f6ssj5514wmkqxhad480bjv-libarchive-3.6.1.drv' failed with exit code 2;
       last 10 log lines:
       > See ./test-suite.log
       > Please report to libarchive-discuss@googlegroups.com
       > ============================================================================
       > make[3]: *** [Makefile:14845: test-suite.log] Error 1
       > make[3]: Leaving directory '/private/tmp/nix-build-libarchive-3.6.1.drv-0/source'
       > make[2]: *** [Makefile:14953: check-TESTS] Error 2
       > make[2]: Leaving directory '/private/tmp/nix-build-libarchive-3.6.1.drv-0/source'
       > make[1]: *** [Makefile:15187: check-am] Error 2
       > make[1]: Leaving directory '/private/tmp/nix-build-libarchive-3.6.1.drv-0/source'
       > make: *** [Makefile:15189: check] Error 2
       For full logs, run 'nix log /nix/store/2mxm9z0y9f6ssj5514wmkqxhad480bjv-libarchive-3.6.1.drv'.
error: 1 dependencies of derivation '/nix/store/mvb6g2sy3lg76gi391ajl8x80995qz4d-cmake-3.22.3.drv' failed to build
error: 1 dependencies of derivation '/nix/store/hjvyfqyv8fvk2navrqwn958l4mc9pmdj-brotli-1.0.9.drv' failed to build
error: 1 dependencies of derivation '/nix/store/hif8dwj9qn995niqpmsgxd2q0lhqri7l-curl-7.83.0.drv' failed to build

[lovek323]

@SuperSandro2000

It would be nice if you could update curl when a new version is out and add patches when CVEs are known. Also there are other topics like http3 which need some attention. Also it would be nice if not literally everything would be rebuild when changing curl but I am not sure how realistic that is.

I'm happy to update the curl package when new releases come out and backport fixes (as long as can learn all the places I need to do that), but in terms of fixing more fundamental issues like everything rebuilding, I think that's beyond my current abilities.

[uri-canva]

I got that same failure on x86_64-darwin. Haven't built it on aarch64-darwin yet.

[uri-canva]

Also it would be nice if not literally everything would be rebuild when changing curl but I am not sure how realistic that is.

After you mentioned it I had a look and I was quite confused to find out darwin stdenv has curl in it, and in stage 1 even. I found a related issue #9655, which look at the resulting stdenv, but the closure for building the various stages is even bigger, it even includes python3. I had a look at the PRs in the repo and there's 1281 PRs with the rebuild-darwin-stdenv label, but only 788 of them have the rebuild-linux-stdenv. Most of them are darwin specific changes, or changes that should rebuild stdenv because they affect llvm, but there's also changes to curl, openssl and python:
https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A10.rebuild-darwin-stdenv+-label%3A10.rebuild-linux-stdenv+

[risicle]

The libarchive tests are only recently put in place (by me) - I should try and sort that out.

[uri-canva]

Can confirm they fail before this PR.

[risicle]

Am trying to get the contents of that file bsdcpio_test.<timestamp> in #171016. I don't think it happens on systems other than ofborg though so it may be a little tricky.

[trofi]

Bisect claims 85f5539 curl: 7.82.0 -> 7.83.0 broke python3Packages.pycurl tests in staging (curl error messages added (or removed?) !):

$ nix build -f. -L python3Packages.pycurl
...
python3.9-pycurl> tests/error_test.py F..F                                                 [ 12%]
...
python3.9-pycurl> >           self.assertEqual('No URL set!', msg)
python3.9-pycurl> E           AssertionError: 'No URL set!' != 'No URL set'
python3.9-pycurl> E           - No URL set!
python3.9-pycurl> E           ?           -
python3.9-pycurl> E           + No URL set
python3.9-pycurl> tests/error_test.py:32: AssertionError

[trofi]

Should be fixed upstream as pycurl/pycurl@d47c68b

[trofi]

Proposed possible fix for pycurl as #171098

[risicle]

@uri-canva do/did they fail for you on your own machine? sorry this is offtopic i'll move it to #171016

[uri-canva]

@risicle debugged the failure in that other PR and it turned out to be a machine specific issue, I ran the curl build from this PR again on a different x86_64-darwin machine and it passed. Unfortunately I don't have an aarch64-darwin machine that won't exhibit the issue to test this.

[siraben]

@uri-canva builds for me on aarch64-darwin.